Monday, January 22, 2007

* How to build Authorization Module for TCP Remoting channel

From .NET 2.0, framework includes the security infrastructure for TCP channel which can be enabled just by configuration.

The below entry enables security for tcp channel

<configuration>
    <system.runtime.remoting>
        <application>
            <service>
                <wellknown mode="SingleCall" type="VikasGoyal.ImplementationClass, Server" objectUri="server.rem" />
            </service>
            <channels>
                <channel ref="tcp" secure="true" port="8080" impersonate="true" />
            </channels>
        </application>
    </system.runtime.remoting>
</configuration>

Apart from providing authentication support, centralized authorization hook has also been included which can be used to implement authorization on all connections made on the tcp channel.

The property added is authorizationModule. The sample below shows the usage :

<?xml version="1.0" encoding="utf-8" ?>
<configuration>
    <system.runtime.remoting>
        <application>
            <service>
                <wellknown mode="SingleCall" type="VikasGoyal.ImplementationClass, Server" objectUri="server.rem" />
            </service>
            <channels>
                <channel ref="tcp" secure="true" port="8080" impersonate="true" authorizationModule="VikasGoyal.Server.AuthorizationModule, Server, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
            </channels>
        </application>
    </system.runtime.remoting>
</configuration>

AuthorizationModule should implement System.Runtime.Remoting.Channels.IAuthorizeRemotingConnection interface which provides methods where authorization checks and decisions can be taken based on the client's network address and user identity.

Below is the sample implementation :

class AuthorizationModule : IAuthorizeRemotingConnection
        {
            public bool IsConnectingEndPointAuthorized(System.Net.EndPoint endPoint)
            {
                  Console.WriteLine("Connecting IP: " + endPoint);
                  return true;
            }

            public bool IsConnectingIdentityAuthorized(IIdentity identity)
            {
                Console.WriteLine("Connecting identity: " + identity.Name);
                return true;
            }
        }

 

Related Links

Security : SSPI in .NET 2.0

 

1 comment:

  1. I know this is an old article, but I was wondering if there is a way to put logic into the implementation so that you could check the groups of the identity against a configurable list (say from within the app.config settings)??

    ReplyDelete